First you want IP instead of TCP (unless you really only want TCP traffic)
and just leave the content part out. I also excluded home_net as the
destination, so it will flag packets that arrive no matter what the
destination address is.. that part is up to you.
alert ip <IP>/32 any -> any any (msg:"LOCAL - traffic from
<IP>";classification:misc-activity; sid: 1000000; rev:1;)
At 03:20 PM 4/3/2003 -0500, Esler, Joel Contractor wrote:
>To create a rule to look for specific IP's regardless of content would be???
>>alert tcp <IP> any -> $home_net any; (MSG:<IP>; content:""; nocase;
>classification:misc-activity;)